New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics.

Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data.

The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure.

If a wearable device is provided to a patient by a HIPAA-covered entity, the data the device collects, records, and transmits must be secured at all times. If the same device is provided by a non-HIPAA-covered entity, personal data collected by the device will not necessarily be protected to the same standards. Consumers are afforded a certain level of privacy protection as the Federal Trade Commission (FTC) regulates wearable technology, although HIPAA Rules are far more stringent.

Consumers may not be aware that health data collected by wearable technology may not be protected to the standards demanded by HIPAA and that lack of knowledge may result in consumers unwittingly giving up certain privacy protections. The Department of Health and Human Services’ Office for Civil Rights has responded to the issue by issuing a report warning that wearable devices may not be covered by HIPAA Rules and consumers may be providing consent for their health data to be used by non-HIPAA covered entities without knowing exactly how their data will be collected, protected, and used.

However, more must be done to ensure consumers are informed about how their data will be collected and used and greater privacy controls must be put in place to ensure sensitive data are adequately protected regardless of which entity collects the data.

This month, researchers from the American University in Washington, D.C., and the Center for Digital Democracy published a report – Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection – on the problem. The report raises awareness of the privacy and security gaps in current federal legislation and calls for further regulation of wearable devices to ensure consumer data are adequately protected and users of the devices are informed about how their data will be used.

In the 122-page report the researchers explain that while there are current privacy and security concerns surrounding wearable technology, those issues will become more serious as new and more sophisticated devices come to market. They explain that in the not-too-distant future, “Biosensors will routinely be able to capture not only an individual’s heart rate, body temperature, and movement, but also brain activity, moods, and emotions.”

It is not only the information collected by the devices that is a cause for concern. The researchers point out that data collected by the devices “can, in turn, be combined with personal information from other sources—including health-care providers and drug companies—raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches.”

As the devices become more integrated into everyday life, the researchers warn that the ability of consumers to make informed decisions about privacy and the use of their data will depend, to a large extent, on the effectiveness of government and self-regulatory policies.

However, at present there are insufficient privacy controls in place and major gaps in coverage exist due to “limited and fragmented” government privacy laws. Unless new policies are put in place to ensure the privacy of consumers is protected, Americans could be exposed to serious privacy risks by using these devices.

The report makes a number of recommendations for protecting consumers’ privacy and suggests ways the government, academic institutions, and consumer and privacy groups can join forces to develop a new and more effective strategy for protecting the health data collected by wearable devices.

The recommendations include:

The creation of a Public Interest Connected-Health Task Force incorporating privacy experts from a broad range of consumer, privacy, and civil liberties organizations to enhance privacy protections in the big data-era. The task force should be responsible for “analyzing new developments, developing public policy and self-regulatory proposals, conducting outreach to other key stakeholders, and engaging in constructive dialogue with industry and government officials.”

Classifying all data collected by wearable technology as sensitive, regardless of which organization or entity collects and uses those data. The researchers also call for an affirmative and effective consent process to be implemented before any consumer data can be collected and used.

Consumers should be allowed to place limits on the types of data that can be collected and used by wearable devices, while companies should clearly explain how, and under what circumstances, data will be collected, used, and shared.

Companies that collect data should make it clear how consumers can access those data, correct any errors, and arrange for their data to be deleted should they so wish. Any requests must be dealt with in a timely manner and at minimal cost to the consumer.

The use of usability testing to ensure consumer privacy policies can be easily understood by consumers, regardless of the size of screen used to access the information. Companies should also publish the results of their studies.

The creation of standards by self-regulatory organizations that are applied to all organizations, not only those covered by HIPAA Rules.

The use of fair marketing practices to ensure data collected from the users of wearable devices are not used to discriminate based on “ethnicity, gender, sexual orientation, age, community, or medical condition.”

The placing of limits on the sharing of heath data to prevent organizations from sharing data with third parties where advertising, marketing, or the promotion of other services are involved and the provision of data to other entities without the knowledge or consent of consumers.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.